Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

MightyMartian writes "The company I work for has just had their government contract renewed, which is good news, giving me several more years of near-guaranteed employment! However, in going through all the schedules and supplementary documents related to the old contract, which we will begin winding down next spring, we've discovered some pretty stiff data remanence requirements that, for hard drives at least, boil down to 'they must be sent to an appropriately recognized facility for destruction.' Now keep in mind that we are the same organization that has been delivering this contract all along, so the equipment isn't going anywhere. What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high. I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed. I'd like to write up a report to submit to our government contract managers, and would be interested if any Slashdotters have experience with this, or have any references or citations to academic or industry papers on dealing with data remanence without destroying physical media?"

There is software out there (like D-BAN [dban.org]) which will repeatedly overwrite the data on a hard drive, rendering it unrecoverable. Why not use that, rather than relying on encryption?

How do you verify that the software does this correctly, and that it hasn't been tampered with? What if a drive is mishandled and doesn't get wiped? And if there's a process to do this correctly and with no chance of failure, is it worth that effort to recycle some old hard drives?

Where I work, hard drives with less-sensitive data can be reused; other ones are ground up into little bits. Data cannot be recovered(*) from a thoroughly destroyed hard drive. What assurance is there for a software solution?

(*) To the best of my knowledge. Maybe NSA can piece together the dust of a hard drive, but I highly doubt it.

A lot of disks have "bad sector" replacement. When a sector starts to be unreadable, it replaces that sector with a spare one set aside for that purpose. Does the software wipe out these revectored sectors, or can someone read those old sectors after software overwrite?

It depends on the security threat on how serious you need to be about wiping data off drives. Sometimes just 'rm'ing files is enough. Sometimes dropping them in a volcano isn't enough.

Well, DBAN is open source. If you have suspicions, you're welcome to review the source compile your own version with a trusted compiler. If that isn't to your liking, there are commercial tools that do the same thing.

As for, "What if a drive is mishandled and doesn't get wiped," well, isn't that a concern with physical destruction too?

Well, DBAN is open source. If you have suspicions, you're welcome to review the source compile your own version with a trusted compiler. If that isn't to your liking, there are commercial tools that do the same thing.

This requires a) proving that the software is correct and b) verifying that the compiled result hasn't been tampered with. For the latter, I'll refer you to http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com].

As for, "What if a drive is mishandled and doesn't get wiped," well, isn't that a concern with physical destruction too?

Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed (along with inventory checks on all hard drives being removed from a facility) than it is to verify that a hard drive has been properly wiped.

Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed

Imagine, if you will, someone who wanted your data and could intercept the drive for long enough to swap the platters on a drive (thus taking the important data with them). How do you verify that your data was destroyed?

One way would be to send a backup (or SHA1 hash) of the data on the drive to the data destruction facility and have them verify that the data on drive serial number 123456789 is what it is expected to be before destruction. If you aren't doing something like this, then you have no way of knowing whether your data is really gone or not. If you think this sort of thing can't happen, read some of the stories about how people get back the wrong ashes from cremations.

Sure, the process can still be subverted, but it's a lot easier to verify that a hard drive has been destroyed

Imagine, if you will, someone who wanted your data and could intercept the drive for long enough to swap the platters on a drive (thus taking the important data with them).

If someone wants your data and they have enough access that they can actually swap platters and smuggle the data out, then you're already in trouble. Destroying a hard drive makes it a lot less likely that data will be inadvertently leaked.

Yeah that's some seriously paranoid international espionage shit. If the stuff is that dangerous and valuable, I'd think you could have the shredding hw brought to you and watch the things go in... or ask the NSA or CIA to deal with the drives for you.

If you actually try this, it will take forever to finish due to the/dev/random seeds being quickly exhausted. The computer will have to wait for new seeds from mouse inputs et cetera.
pseudo-random is also slow./dev/zero or/dev/one is as fast as the i/o can work and just as non-recoverable for all practical purposes, urban legends aside.

There was a challenge not long ago for anyone to recover any data whatsoever from a harddisk that had been overwritten just once with zeros (which should be considerably easier than one that was overwritten with random data). I don't remember what the prize was, but it was a considerable amount of money and would have been priceless publicity for any data recovery company that could pull it off. Nobody claimed the prize, and when asked, they all said it was impossible. Of course that won't keep them from se

Yea, you're remembering that contest how you want to remember it. The prize was a pittance, and the "company" offering it was a handful of people. There were also ridiculous restrictions, such as not damaging the single physical drive the whole challenge was based around. And several data companies said they likely could recover some data, just not necessarily the specific file that that the challenge was based around (as a general rule, you can't target a file, you get whatever it is you get). But the process involves ripping the drives to pieces and costs significantly more than the challenge was worth. And since the challenge was issued by a handful of guys rather than an actual, large company, very little publicity would have been generated, so it wasn't worth it to anyone.

Now, even if that story happened exactly as you remember it, it's still irrelevant. The point isn't that that it's currently possible, it's that it's theoretically possible and thus may be trivial in the near or distant future. For certain kinds of data, that is a world of difference.

Yea, you're remembering that contest how you want to remember it. The prize was a pittance, and the "company" offering it was a handful of people. There were also ridiculous restrictions, such as not damaging the single physical drive the whole challenge was based around. And several data companies said they likely could recover some data, just not necessarily the specific file that that the challenge was based around (as a general rule, you can't target a file, you get whatever it is you get). But the process involves ripping the drives to pieces and costs significantly more than the challenge was worth. And since the challenge was issued by a handful of guys rather than an actual, large company, very little publicity would have been generated, so it wasn't worth it to anyone.

Now, even if that story happened exactly as you remember it, it's still irrelevant. The point isn't that that it's currently possible, it's that it's theoretically possible and thus may be trivial in the near or distant future. For certain kinds of data, that is a world of difference.

+1 for AC

In addition, they required that you release your methods for recovering the data, which I'm sure is worth a lot more than the 3-4 digits they were offering.

There was a challenge not long ago for anyone to recover any data whatsoever from a harddisk that had been overwritten just once with zeros (which should be considerably easier than one that was overwritten with random data). I don't remember what the prize was, but it was a considerable amount of money and would have been priceless publicity for any data recovery company that could pull it off.

That fact that nobody publicly proved that they could do this does not mean that it can't be done. If NSA had the capability to do this, do you think they'd share that information? If the data is sensitive enough, why risk even a very small chance that it could be recovered by the wrong party?

Its not a myth, its a theoretical possibility that either noone has the current capability to do, or they do and its simply too cost prohibitive, or else we simply dont know about it. Thats not terribly reassuring if youre dealing with data whose leak might cause jail time.

As for formatting, depending on how you format the drive, it may or may not overwrite the data at all and may leave it ripe for the picking.

Honestly, if youre dealing with government and they say "we want the drives shredded", DBAN set to a DoD approved setting MIGHT be a reasonable suggestion, as would encryption (as we can actually quantify the risk there, and it is vanishingly small), but saying "ah, just zero it once or format it, it doesnt make a difference" sounds incredibly foolhardy.

HDDErase will do an ATA low-level secure erase that tells the controller to zero out all sectors. Even though that are on the relocated table which would be inaccessible via normal software solutions.

After HDDErase does its job (which it does in a pretty quick amount of time since there is no I/O involved, but just the write head laying down zeros), running DBAN on the drive adds further insurance. Realistically, this will remove all data.

Of course, prevention is a good idea as well. This is why I have some type of FDE software on my drives. This way, a simple zeroing out of the drive will be enough. In fact, the format command in Windows will check to see if a disk is BitLocker protected and zero out the places where the volume key resides, so even if someone knew the password to the drive, it will do them no good.

In NIST/DoD parlance, what DBAN is cleaning/purging; i.e., either overwrite, or invoke the SATA Secure Erase command. Degaussing is also classified as purging (though the disk becomes unusable AFAIK); degaussing is better suited towards tapes IMHO.

You also need to Validate that it has been done, and document that fact for each drive that has been sanitised.

The OP will have to ask the contract manager at what level the information is considered at (low, medium, high) and then make plans accordingly. If it's high security, one can simply purge the media if you want to re-use the media with-in an organization, but if you ever want to toss the disk (or even if it's in a RAID array and you need to replace because it died), you need to destroy it and record that fact.

So if your EMC/NetApp/Dell array has sensitive information, you can't send it back to the OEM if sensitive data ever touched it: you have to make arrangements with the OEM so that you can destroy it. Ditto for your laptop/desktop drives: if Lenovo/HP want/s the drive back, they can't have it as otherwise you'll be breaking your contract with the government.

No need even for DBAN. Unless you're using truly ancient decade-old HDDs, use the ATA SECURE ERASE command built into the HDD controller. Much faster than DBAN, and wipes not only the accessible sectors but sectors in the G-list. Plus it's NIST and NSA approved, so it should be complaint with any government requirements for data destruction.

It also effectively returns non-TRIM SSDs to a factory state. Remember: when used on SATA drives, set your bios to IDE compatibility mode, not AHCI.

Yep, this is better than encrypting the drive in that it's possible to secret away a copy of the encryption key and later unlock all the data, or perhaps the algorithm used for encryption gets broken, so suddenly the data is readable again, and so forth.

Encryption offers no advantage over a strict drive wipe, particularly with random data. Realistically multiple passes are not needed because modern bit densities make it improbable that magnetic memory can be meaningfully recovered. Thinking it does demons

It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.

Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:

Since Oct 2007, when ISL 2007-01 [dss.mil] (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.

Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)

Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.

You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.

Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.

Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 [nist.gov] is one; it allows for sanitization by overwrite, IIRC.

You've said it better than I could - and I'd go further to say that the fact that he considered encrypting the data and then destroying the key indicates that the OP is incompetent to be doing this kind of work. You don't destroy data by making an unreadable copy of it. You destroy it by destroying it, which could mean physical destruction, or could mean multiple overwrites (but the face that the government requirements state physical destruction implies that they have already considered and rejected this option).

This. Think about it. The data's on the disk in the clear. You're either going to overwrite it with random bits, or with an encrypted version of itself. Magnetically there's not a lot of difference there. If the original data can be retrieved in one scenario it can be retrieved in the other one. What's more, if you're encrypting rather than overwriting with garbage, now you have the encrypted data that can be attacked. (Obviously if the cleartext never hits the hard drive in the first place it's a co

Assuming it a Federal gov contract, there are different standards depending on the Department. Also depends on the classification of the drive. I would go with the standards of the Department you are contracted to.

Encrypting truly random data does not make it more random... You could argue that getting enough entropy to do that without an external random number generator would be hard, although Intel's upcoming chips have a DRNG that can pump out good quality entropy to go into the system RNG at speeds faster than an HDD can write sequentially.

It used to be that there were several ways to recover data from a wiped drive even after wiping the data and writing over it, but from what I understand that due to the size of a bit on a modern hard drive that it is impossible to read something that has been overwritten.

As you describe it, the original contract wanted the data destroyed at the end of the contract term. You've just had the contract *renewed*, which is another word for "extended". Why exactly would anyone want the data destroyed in mid-contract?

Your contact negotiators ought to have realised that the government didn't need you to destroy the data until the end of the new contract, and written that into the new contract, thereby over-riding the old one. More than saving you the money, it was one of your advantages as the incumbent contractor: compared with a competitor, you could perform the second contract term at lower cost simply because you could off-set the data destruction cost for which you were already contracted simply by writing into the new contract permission to defer that destruction! This would allow you to underbid any potential competitor - or if there is no likely competitor, writing deferral in would be a straight profit to you at no cost to the customer. That kind of win-win is *exactly* what your contract negotiators are paid to spot and capitalise on.

As poster above says, your contract office can still possibly rescue this by simply writing and asking for permission to not destroy the data until the end of the renewed contract term. All the same, missing this at contract negotiation time is something that should come up in somebody's annual performance assessment.

The contract states that it must be physically destroyed. Depending on what kind of business you are in, the government will only accept physical destruction of a drive if classified data was ever on it.
You will need to adhere to the contract and destroy and replace drives or the Government will rake your company over the coals during an audit. They will also then demand monies paid back, tack on a huge fine, and possibly criminal charges on anyone that failed to properly dispose of and destroy the data per the contract.

Pretty much. Next time read the friggin' contract, subby. If you don't adhere to the terms of the contract and the government finds out, this could well be your company's last government contract. If you're lucky.

Your old contract requires the destruction of the equipment. Your new contract failed to price in its replacement. Why is this the agency's problem? If I were the client, I'm not going to go out of my way to evaluate your data destruction ideas and instead would simply request you perform the contract as agreed.

Exactly. They'll want certificates proving the drives were destroyed per the contract.

Part of your contract bottom line includes the cost of replacing those drives. If your company bid too low and won't make a profit, that's really a shame, but that's something you'll have to take up with the salesperson who wrote the proposal.

Also, realize that hard drives are only expensive *NOW*. Remember what happened in Japan that was supposed to kill the electronics market until the end of the year? In 6 month's time, the prices of hard drives will come back down. Unless your contract is only a month long, the destruction probably won't happen until then, which is probably a year or more down the road (unless it gets renewed again). In the mean time, you only destroy hard drives of PCs that are being decomissioned, so they've already been replaced and no issue at all.

Also - why are you trying to find ways around it? It's in the contract and you wouldn't have gotten it if you didn't agree to the requirement. Is it really to save the company a few bucks? Or is it the inner geek who can't see the sight of tossing a 500GB drive away?

If the original contract requires the destruction of equipment, then the original contract price covers that. Not destroying the hard drives means you should give some money back to the government since you're not completing the work you were paid for.

If they allow old equipment to be used for the new contract there should be a discount on the new contract to account for this.

The problem isn't destroying the data. The problem is demonstrating that you've destroyed the data.
If you hand over all the media that the data is on for shredding, and it gets cataloged and then shredded, any bean counter can look and say "see? here's the certificate that says it was destroyed."
If you erase it and promise "I erased it! I swear! Honest!", there's not much to look at when they do their audit.

...and when they don't find the proof of destruction, your company loses the contract, you get fired for not following process resulting loss of contract or the company folds due to loss of revenue because of the loss of the contract.

That is why you do a two tier destruction process in these situations:

Tier 1 consists of a software erase, a physical degaussing and damaging the drive physically (but still keeping it in one piece). This can be accomplished either by drilling holes in the platters, or having a hydraulic ram bend the drive.

Tier 2 consists of handing the stack of bent drives to Iron Mountain or the shredding place who has the shredder online, who will hand back a certificate of destruction.

Don't try to find ways to cut costs or save money by skirting around your contractual obligations. You contract says to destroy the hard drives. You MUST destroy them. You WILL lose your contract if you do not.

If you have a Security department, take you concern to them or your Contracts Manager for this contract. They will tell you the same thing...especially if it's a classified program.

If the drives are a couple of years old, you might be better off destroying the drives and buying new ones. The cost of certified drive destruction is pretty cheap, new drives can be had for not much ($60 to 200 depending on whether desktop or workstation).

The lifespan of drives isn't infinite so this would be a good opportunity to replace the 3 or 4 or 5 year old drives with new ones. The incremental labor of removing the drive, putting it in the send out for s

I think that what you want is The Ephemerizer, by Radia Perlman (she of OSPF fame). I heard about this a few years ago at the LISA conference, and a bit of digging turned it up. From the abstract [mendeley.com]:

This paper is about how to keep data for a finite time, and then make it unrecoverable after that. It is difficult to ensure that data is completely destroyed. To be available before expiration it is desirable to create backup copies. Then absolute deletion becomes difficult, because even after explicitly deleting it, copies might remain on backup media, or in swap space, or be forensically recoverable. The obvious solution is to store the data encrypted, and then delete the key after expiration.

> I've looked at using encryption as a means of destroying data, in that if you encrypt a drive or a set of files with an appropriately long and complex key, and then destroy all copies of that key, that data effectively is destroyed

How do you destroy the key? You encrypt it and destroy the second key that you used to encrypt the first one? That's convenient, now you just have to repeat the process in a recursive manner and it should be completed in NaN years.

Simple: Key on usb-key, destroy that. Or use passphrases that unlock the key and destroy the master-key. For example, LUKS is implemented that way with explicit anti-forensic splitting of the master-key, i.e. if you successfully wipe just a few bytes of the master key blown up to about 100kB, you are quite secure.

As to secure destruction, encryption is quite fine, if it is modern encryption done right. (I have seen some commercial things that were just stupid....) Overwriting, as some here suggested unfortunately does not do the job, because of defect management. For sectors still in use, it is likely just as secure as encryption, but it does exactly noting for reallocated blocks. (Even more so for SSDs and flash-drives).

For Windows, TrueCrypt is a good solution. For Linux LUKS with defaults or AES in XTS mode.

Er... if overwriting is not sufficient due to defective sectors, then how does encrypting the data deal with those defective sectors? And how does writing an encrypted version to a SSD do a better job than writing random data to a SSD? It's worse, because you can write data to the entire SSD whereas encrypting will only write as much as you encrypt, leaving some blocks unwritten.

Indeed. The defectives must already have encrypted data in them that was put there _before_ they became defective.

For overwrites, HDDs, and possibly SSDs, can be wiped with a single pass of zeros. Also, you do overwrites of course on the raw device, not on the filesystem level. (May be a bit difficult to grasp and do for windows users, but is trivial on anything UNIX.)

What's more, destruction of hard drives means we have to buy new ones, which is going to cost us a lot of money, particular with prices being so high.

It should have been part of the contract negotiations that the cost of the HDDs is paid for by the government. If it wasn't your company should still have padded their fee to include this cost. If it wasn't, someone should be fired. You can then destroy the drives as required by the contract and use the salary savings to pay for new drives.

The only person that can resolve this for you is the government contracting officer. They will have to review the requirements and decide what is an acceptable solution. You can offer up solutions, including keeping the drives in place since the equipment is staying there anyway, but they must make the call.

There hands may be tied by regulations that require physical destruction; in which case you have no choice. They may be able to approve keeping the drives. In the end, they will do whatever keeps them

So people have already said use DBAN. So I'll point out Symantec Ghost also wipes drives drives using the GDisk utility. Both Ghost and DBAN can wipe a drive with a DoD standard 5220.22-M wipe. Surely if it's good enough for national defense...

Just because a wipe utility says it can do a DoD wipe, doesn't mean it does. Even if it does(likely), doesn't mean that the NSA&DoD has tested/audited said program to ensure that it meets the required standards(suprisingly unlikely).

If you've got stiff data remanence requirements in your existing contract, it sounds like you'll need to ask for a contract modification. Not knowing exactly what sort of data you're working with, I'll just say it sounds like the customer really wanted to make sure their data didn't end up on eBay by accident.

The time to have provided for an non-destructive alternative would have been when the original contract was being negotiated. That said, ask your PM to ask the customer contracts officer about it. Keep

Where I work (non-govermental) they are required by law to ensure data is not recoverable from surplus or decomissioned systems, even desktops and notebooks. 'Ensure' means to guarantee upon legal and regulatory penalties up to and including forfeiture of profits and punitive damages in excess of the company's net worth and revenue. In other words, the penalty is bankruptcy and dissolution.

We wish to avoid that.

There is, sadly, only one absolutely guaranteed method of preventing data recovery, and that is

If it's reversible, you do it. The fact is that if the hard drive read head writes a zero, the hard drive read head will read a zero, it will not read a 0.0003 and be able to speculate that it was once a 1.

Oh yes, that challenge totally answered the question once and for all! What drive recovery or intelligence agency could resist the reward of... wait for it,

$40.00 USD and the title "King (or Queen) of Data Recovery".

$40.00 US DOLLARS!!! And they can keep a 60$ HDD!!! For performing a time-intensive, expensive procedure! Yeah, that totally shows everyone...

Oh and most challengers also wouldn't be able to disassemble the drive. And would have to publicly disclose the method used (heh, yeah, I can totally see the NSA jumping at the opportunity to prove some random Internet blogger wrong while disclosing all their methods). I'm sorry, but that challenge is so obviously a joke, it's actually sad, because people think it answers... well, anything. (source [hostjury.com], BTW. Original source has absolutely zero info AFAICT.)

Which says "As of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media within the same security area/zone, but not as a sanitization method. "

Since it's the same vendor on the same contract, there's a strong argument that it's the "same security area/zone".

Didn't someone offer a prize for anyone who could recover data from a zeroed drive?

That hasn't been true for at least 10-15 years. Modern hard drives use variable signal strength to record multiple bits into each spot. I believe the official term someone came up with was "vertical recording". In vastly simplified terms, it boils down to this: instead of storing nothing (0) or a magnetic field (1), you store nothing, weak, moderate, or strong. 4 levels = 2 bits. Increase the sensitivity and analog-digital resolution, add some DSP ma

I'm curious why you really even need "random" data to "approach irreversibility" - wouldn't writing all zeroes, then all ones, then all zeroes, then all ones a few times effectively make the original data be "forgotten"? By then, every bit has previously been one, every bit has previously been zero, multiple times?

The original reason HDD data was recoverable was because the head did not perfectly create or remove magnetic regions on the media. Imperfections, head wobble, electrical noise - all contributed to creating variable sized domains. Now, magnetic polarization of materials has some odd effects - one is that inducing a region of magnetic polarity doesn't swamp out a neighboring region, it will first "push" it away. So if you write "1", then "0", then "1", the thin band of magnetism from the first "1" will be at the outer most edge of the track, with another thin band of "0" and finally the actual "1" that the head sees.

The "killer app" of magnetic force microscopy was then that you could stick the platters under MFM and beat the resolution of the head for reading the data - the oldest copy of the data would be squished up at the edge of the track, the second oldest further in and so on and so forth - you could actually read back several generations of hard disk data.

Of course, since that age, technology has changed - hard disks now use RF modulation to store multiple bits per space, bit densities have shot up, and heads track much more accurately - basically, the physics has been beaten out since we are now writing much more complex data, and almost every single bit of magnetically encodeable space on a hard disk is now used to encode data - there's (very little) space between platters, and what signal you get there is likely irrecoverably fuzzed RF if you can even see it at all.

Time after time after time people report finding sensitive data on used or off-lease systems. Replacing drives is trivial vs the risk of a breach (and also trivial vs the cost of most contracts that have such requirements)

Encryption solves the problem, if implemented and used correctly all of the time, and if no keys were lost or compromised (with or without anyone's knowledge)

Destroyed drives tell no tails.

Even the company I work for is requiring HD destruction as opposed to just a decent low level formatting.

Given that you can't actually low-level format modern drives out of the factory, I'm not sure what yo

Seconding this. The goal of the process is 100% certainty that the data does not become available to anyone ever again. The fact that one of the reasons you want an alternative is because it's expensive to buy new drives is a gigantic strike against you -- you've basically admitted that you want to re-use the drives. Nobody in the government is going to approve a plan that involves the re-use of drives that have had sensitive information on them. And, of course, any plan that doesn't involve drive re-use *s

Classified+ require physical destruction/demilling of the drives. Some company failing to follow these stipulations when it comes to classified/S/TS/SCI data is going to lose their contract at best, or someone may face prison time at the worst.

Disclaimer: I AM a uniformed DoD servicemember who's duties impign upon this, but I am NOT a contract expert, nor do I know the level of data he's processing. Heck, I don't even know if you're working with the DoD.

1. Ignore all other advice in this thread about using programs to wipe HDs. Only NSA approved wiping software may be used, and the instructions would have to be followed to the letter. In this field non-approved programs aren't considered trustworthy enough. The base2. While the DoD is movi

The contract was probably written that way so that the incumbent could not undercut the competition by avoiding the costs involved in destruction and replacement. That would leave no option but to swallow that cost and do as the nice government says.